[DSE-Dev] [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds
Václav Ovsík
vaclav.ovsik at i.cz
Mon Sep 15 13:36:30 UTC 2008
On Fri, Sep 12, 2008 at 04:29:22PM +0200, Václav Ovsík wrote:
> While I was reading this, I opened /usr/bin/ldd to look in it and was
> a bit surprise with a block:
>
> => # The following use of cat is needed to make ldd work in SELinux
> => # environments where the executed program might not have permissions
> => # to write to the console/tty. But only bash 3.x supports the pipefail
> => # option, and we don't bother to handle the case for older bash versions.
> => if set -o pipefail 2> /dev/null; then
> => try_trace() {
> => eval $add_env '"$@"' | cat
> => }
> => else
> => try_trace() {
> => eval $add_env '"$@"'
> => }
> => fi
>
> I must completely overlook this for the first time. I am going to play
> with it a bit. I hope some correction of this can eliminate our headache
> on the policy side. I will write a next week.
A little improvement of workaround already part of ldd:
--- /usr/bin/ldd.orig 2008-07-29 07:21:35.000000000 +0200
+++ /usr/bin/ldd 2008-09-15 12:22:01.000000000 +0200
@@ -114,7 +114,7 @@
# option, and we don't bother to handle the case for older bash versions.
if set -o pipefail 2> /dev/null; then
try_trace() {
- eval $add_env '"$@"' | cat
+ eval $add_env '"$@"' <&- 2>&1 | cat
}
else
try_trace() {
That is - all inherited file descriptors connected to an user terminal
are moved away. The SE Linux denial disappeared. Sorry for noise with
ldd domain, it can be forgotten.
Reported as bug in Debian BTS:
...hmm, still not arrived assignment after several hours...
I will send a bug number later.
Regards
--
Zito
More information about the SELinux-devel
mailing list